Protect User Settings

Wiryono Lauw

Wiryono Lauw

Aug 21 2010 10:22 PM
Hi All

I'm developing a win form application using C#

My background is developing a web apps but now start to go to win apps due to some limitation

I found out handling and protecting user settings is not easy, in web apps everything is kept on the server, so without access to the server you won't be able to see the settings.

In win application i also able to save my settings in the database, but the problem would be the connection string.
I can make it fix inside the code, but then would be very difficult if something need to change ( the database place, etc ).
So I need to be able to change it and that's mean I have to save it in a file.

Now I can use the built up settings in Visual Studio, it's quick and easy. By I don't like it cause I don't understand how it works and second I prefer using a free IDE such as Sharp Develop or Mono Develop which don't come with the .settings manager.

My solution will be saving it using an XML file, during my search I found it was the most suitable one. Yet another problem arose since it is xml file it will save on user computer, and I don't like normal people ( not techy guy ) to find out the connection string there and use it for abusing my application  or worse the database, So i need to protect it somehow using encryption and decryption

I got the tutorial in here
How to: Encrypt XML Elements with Asymmetric Keys > http://msdn.microsoft.com/en-us/library/ms229746.aspx
How to: Decrypt XML Elements with Asymmetric Keys > http://msdn.microsoft.com/en-us/library/ms229919.aspx

It's great but the problem in can only encrypt and decrypt in the same computer

Suppose there is a problem in my settings ( during development ) than I create a new xml settings encrypt it and distribute it to the users. The decrypt function will no longer works. If I use the above decrypt tutorial it always return Bad Data.

So I wonder if there is encryption method using a simple key string and save it inside the application ( so it's all the same )

string key = "af3094uoAFLSDJ"

something like that, so it won't be base on machine.

I know it's not save a techy guy special in hack will able to get the key. But that's not my problem at the moment, I can still lock it in the database level ( alow only local connection ) and firewall level in case I open a VPN later.

Is there a way to do this a simple.